Joint task force transformation initiative


TABLE H-2: MAPPING ISO/IEC 27001 TO NIST SP 800-53



Yüklə 5,64 Mb.
səhifə169/186
tarix08.01.2019
ölçüsü5,64 Mb.
#93199
1   ...   165   166   167   168   169   170   171   172   ...   186

TABLE H-2: MAPPING ISO/IEC 27001 TO NIST SP 800-53

ISO/IEC 27001 CONTROLS

NIST SP 800-53 CONTROLS

A.5 Security Policy




A.5.1 Information security policy




A.5.1.1 Information security policy document

XX1 controls, PM-1

A.5.1.2 Review of the information security policy

XX1 controls, PM-1

A.6 Organization of information security




A.6.1 Internal




A.6.1.1 Management commitment to information security

XX-1 controls, PM-1, PM-2, PM-3

A.6.1.2 Information security coordination

XX-1 controls, PM-1, PM-2, CP-2, CP-4, IR-4, PL-1, PL-2, SA-2

A.6.1.3 Allocation of information security responsibilities

XX-1 controls, PM-1, PM-2, PM-10, CM-9, CP-2, PS-7, SA-3, SA-9,

A.6.1.4 Authorization process for information processing facilities

PM-10, CA-1, CA-6

A.6.1.5 Confidentiality agreements

PL4, PS6, SA-9

A.6.1.6 Contact with authorities

IR-4, IR-6, IR-7, PE-13, SA-19, SI-5

A.6.1.7 Contact with special interest groups

PM-15, SI-5

A.6.1.8 Independent review of information security

PM-9, CA-1, CA2, CA7, SA-11

A.6.2 External Parties




A.6.2.1 Identification of risks related to external parties

PM-9, AC-20, CA-3, RA-3, SA9

A.6.2.2 Addressing security when dealing with customers

AC8 , AT2, AT-3, CA-2, CA-3, PL4, SA-9

A.6.2.3 Addressing security in third party agreements

CA3, PL-4, PS-6, PS-7, SA9

A.7 Asset Management




A.7.1 Responsibility for assets




A.7.1.1 Inventory of assets

PM-5, CM-8, CM-9

A.7.1.2 Ownership of assets

PM-5, CM-8, CM-9

A.7.1.3 Acceptable use of assets

AC-20, PL4, PS-6

A.7.2 Information Classification




A.7.2.1 Classification Guidelines

RA-2

A.7.2.2 Information labeling and handling

AC-3, AC-4, AC-16, MP2, MP3, SC-16

A.8 Human Resources Security




A.8.1 Prior to Employment




A.8.1.1 Roles and Responsibilities

XX-1 controls, PL4, PS-2, PS6, PS-7

A.8.1.2 Screening

PS3, SA-21

A.8.1.3 Terms and conditions of employment

PL-4, PS6

A.8.2 During employment




A.8.2.1 Management responsibilities

PL-4, PS6, PS-7, SA9

A.8.2.2 Awareness, education, and training

PM-13, PM-14, AT2, AT3, CP-3, IR-2, SA-16

A.8.2.3 Disciplinary process

PS8

A.8.3 Termination or change of employment




A.8.3.1 Termination responsibilities

PS4, PS5

A.8.3.2 Return of assets

PS4, PS5

A.8.3.3 Removal of access rights

AC-2, PE-2, PS4, PS5

A.9 Physical and environmental security




A.9.1 Secure areas




A.9.1.1 Physical security perimeter

PE3, PE-4, PE-5

A.9.1.2 Physical entry controls

MA-5, PE-2, PE3, PE-4, PE-5, PE-6, PE-8

A.9.1.3 Securing offices, rooms, facilities

PE3, PE-4, PE-5

A.9.1.4 Protecting against external and environmental threats

CP-2, CP-6, CP-7, PE-1, PE9, PE-13, PE-15, PE-18, PE-19

A.9.1.5 Working in secure areas

PE-1

A.9.1.6 Public access, delivery and loading areas

PE3 , PE16

A.9.2 Equipment security




A.9.2.1 Equipment siting and protection

PE-13, PE-14, PE-15, PE18, PE-19

A.9.2.2 Supporting utilities

CP-8, PE-9, PE-10, PE-11, PE-12, PE-14

A.9.2.3 Cabling security

PE4, PE9

A.9.2.4 Equipment maintenance

MA-2, MA-3, MA-4, MA-5, MA-6

A.9.2.5 Security of equipment off-premises

AC-19, AC-20, MP5, PE17

A.9.2.6 Secure disposal or reuse of equipment

MP6

A.9.2.7 Removal of property

MA-2, MP-5, PE16

A.10 Communications and operations management




A.10.1 Operational procedures and responsibilities




A.10.1.1 Documented operating procedures

XX1 controls, SA-5

A.10.1.2 Change management

CM-2, CM-3, CM-4, CM-5, CM-9, SA-10

A.10.1.3 Segregation of duties

AC5

A.10.1.4 Separation of development, test and operational facilities

CM-2, CM-4, CM-9, SA-10

A.10.2 Third-party service delivery management




A.10.2.1 Service delivery

SA9

A.10.2.2 Monitoring and review of third-party services

SA9

A.10.2.3 Managing changes to third-party services

SA-9, SA-10

A.10.3 System planning and acceptance




A.10.3.1 Capacity management

AU4, AU5, CP2, SA2, SC5

A.10.3.2 System acceptance

CA2, CA6, CM3, CM4, CM-9, SA-4, SA-10, SA11

A.10.4 Protection against malicious and mobile code




A.10.4.1 Controls against malicious code

AC-19, AT2, AT-3, CM-11, IR-2, IR-8, MA-3, MP-7, SC7, SC-42, SI-1, SI3, SI-5, SI7

A.10.4.2 Controls against mobile code

SA8, SC2, SC3, SC7, SC-18

A.10.5 Backup




A.10.5.1 Information backup

CP9

A.10.6 Network security management




A.10.6.1 Network controls

AC-3, AC-17, AC-18, AC20, CA3, SC-5, SC-7, SC8, SC10

A.10.6.2 Security of network services

CA-3, SA9

A.10.7 Media handling




A.10.7.1 Management of removable media

MP-1, MP-4, MP-5, MP-6, MP-7

A.10.7.2 Disposal of media

MP6

A.10.7.3 Information handling procedures

AC-3, AC-4, AC-16, AC-19, MP-2, MP-3, SI-10, SI-12

A.10.7.4 Security of system documentation

AC-3, MP-3, MP-4, SA5

A.10.8 Exchange of information




A.10.8.1 Information exchange policies and procedures

AC1, AC3, AC4, AC17, AC-18, AC20, CA3, PL4, PS6, SC-1, SC7, SC-8, SC-15

A.10.8.2 Exchange agreements

CA3, SA-9

A.10.8.3 Physical media in transit

MP5

A.10.8.4 Electronic messaging

AU-10, SC-7, SC-8, SC-44

A.10.8.5 Business information systems

AC-17, CA-3

A.10.9 Electronic commerce services




A.10.9.1 Electronic commerce

AC-3, AU-10, IA-2, IA-8, SC-7, SC8, SC-13

A.10.9.2 Online transactions

AC-3, AU-10, IA-2, IA-8, SC-2, SC-3, SC-7, SC8, SC-13

A.10.9.3 Publicly available information

AC-3, AC-22, SI-3, SI-4, SI-5, SI-7, SI-10

A.10.10 Monitoring




A.10.10.1 Audit logging

AU-2, AU-3, AU-8, AU-11, AU-12, AU-14

A.10.10.2 Monitoring system use

AU-2, AU-3, AU-6, AU-7, AU-12, CM-6, CM-11, PE6, PE8, SC-7, SI-4, SI-6, SI-7

A.10.10.3 Protection of log information

AU-4, AU-5, AU9, SI-4

A.10.10.4 Administrator and operator logs

AU-2, AU-3, AU-12

A.10.10.5 Fault logging

AU-2, AU-6, AU-12, SI-6

A.10.10.6 Clock synchronization

AU8

A.11 Access Control




A.11.1 Business requirement for access control




A.11.1.1 Access control policy

AC1, MP-1

A.11.2 User access management




A.11.2.1 User registration

AC2, IA-4, IA-5

A.11.2.2 Privilege management

AC2, AC-3, AC6

A.11.2.3 User password management

IA5

A.11.2.4 Review of user access rights

AC-2

A.11.3 User responsibilities




A.11.3.1 Password use

IA5

A.11.3.2 Unattended user equipment

AC11, SC10

A.11.3.3 Clear desk and clear screen policy

AC-1, AC-11, MP-1, MP-2, MP-4

A.11.4 Network access control




A.11.4.1 Policy on use of network services

AC1, AC6, AC17, AC-18, AC20, CM-7, SC-1, SC-7

A.11.4.2 User authentication for external connections

AC17, AC-18, AC20, CA-3, IA-2, IA-3, IA-8

A.11.4.3 Equipment identification in networks

AC-19, IA3

A.11.4.4 Remote diagnostic and configuration port protection

AC6, CM-7, MA-2, MA4, PE-3

A.11.4.5 Segregation in networks

AC-4, SC-2, SC7

A.11.4.6 Network connection control

AC-17, AC-18, AC-19, AC-20, CM-7, SC-7

A.11.4.7 Network routing control

AC4, SC-7

A.11.5 Operating system access control




A.11.5.1 Secure log-on procedures

AC7, AC-8, AC-9, IA2, IA-5, IA6, IA-8

A.11.5.2 User identification and authentication

AC-2, IA2, IA4, IA5, IA-8

A.11.5.3 Password management system

IA5, IA-6

A.11.5.4 Use of system utilities

AC3, AC6, AU-2, SC-2

A.11.5.5 Session time-out

AC-2, AC11, AC-12, SC10

A.11.5.6 Limitation of connection time

AC-2, IA-11, SC-43

A.11.6 Application and information access control




A.11.6.1 Information access restriction

AC-1, AC3, AC6, AC-22, AC-24

A.11.6.2 Sensitive system isolation

SC-7, SC-32

A.11.7 Mobile computing and teleworking




A.11.7.1 Mobile computing and communications

AC-1, AC17, AC-18, AC19, PL4, PS6

A.11.7.2 Teleworking

AC-1, AC17, PE17, PL4, PS6

A.12 Information systems acquisition, development and maintenance




A.12.1 Security requirements of information systems




A.12.1.1 Security requirements analysis and specification

PL-7, PL-8, RA-2, SA-3, SA4, SA-8

A.12.2 Correct processing in applications




A.12.2.1 Input data validation

SI10

A.12.2.2 Control of internal processing

SI-6, SI7, SI10

A.12.2.3 Message integrity

AU10, SC8, SC-23, SI7

A.12.2.4 Output data validation

SI-15

A.12.3 Cryptographic controls




A.12.3.1 Policy on the use of cryptographic controls

AC-1, MP-1, SC-1

A.12.3.2 Key management

SC12, SC-17

A.12.4 Security of system files




A.12.4.1 Control of operational software

CM-1, CM-2, CM-3, CM-4, CM-5, CM-7, CM-9, CM-10, CM-11, SC-18, SI-7

A.12.4.2 Protection of system test data

SA-15

A.12.4.3 Access control to program source code

AC3, AC6, CM5, CM-9, MA-5, SA-10

A.12.5 Security in development and support processes




A.12.5.1 Change control procedures

CM1, CM-3, CM-9, SA-10

A.12.5.2 Technical review of applications after operating system changes

CM-3, CM4, CM-9

A.12.5.3 Restrictions on changes to software packages

CM3, CM4, CM5, CM-9, SA-10

A.12.5.4 Information leakage

AC4, AU-13, PE19, SC-31, SC-38

A.12.5.5 Outsourced software development

SA-1, SA-4, SA-9, SA-10, SA-11, SA-12, SA-13, SA-15

A.12.6 Technical Vulnerability Management




A.12.6.1 Control of technical vulnerabilities

CA-7, RA3, RA-5, SI2, SI5

A.13 Information security incident management




A.13.1 Reporting information security events and weaknesses




A.13.1.1 Reporting information security events

AU-6, IR-1, IR6

A.13.1.2 Reporting security weaknesses

CA-2, CA-7, PL4, SA-5, SA-11, SI-2, SI-5

A.13.2 Management of information security incidents and improvements




A.13.2.1 Responsibilities and procedures

IR1, IR-4

A.13.2.2 Learning from information security incidents

IR4, IR-10

A.13.2.3 Collection of evidence

AU-7, AU-8, AU-9, AU-11, IR4

A.14 Business continuity management




A.14.1 Information security aspects of business continuity management




A.14.1.1 Including information security in the business continuity management process

CP-1, CP2

A.14.1.2 Business continuity and risk assessment

PM-9, CP-2, RA-3

A.14.1.3 Developing and implementing continuity plans including information security

CP-1, CP-2, CP-6, CP-7, CP-8, CP-9, CP-10, CP-11, CP-13

A.14.1.4 Business continuity planning framework

CP2, CP4

A.14.1.5 Testing, maintaining and reassessing business continuity plans

CP-2, CP4

A.15 Compliance




A.15.1 Compliance with legal requirements




A.15.1.1 Identification of applicable legislation

XX-1 controls

A.15.1.2 Intellectual property rights (IPR)

CM-10

A.15.1.3 Protection of organizational records

AC-3, AU-9, AU11, CP-9, MP4, SA-5, SI-12

A.15.1.4 Data protection and privacy of personal information

Appendix J Privacy controls, SI-12

A.15.1.5 Prevention of misuse of information processing facilities

AC-8, AU-6, CM-11, PL4, PS-6, PS8

A.15.1.6 Regulation of cryptographic controls

IA-7, SC13

A.15.2 Compliance with security policies and standards, and technical compliance




A.15.2.1 Compliance with security policies and standards

XX-1 controls, CA2, CA7

A.15.2.2 Technical compliance checking

CA2, CA-7, RA-5

A.15.3 Information systems audit considerations




A.15.3.1 Information systems audit controls

AU-1, AU-2, SI-4

A.15.3.2 Protection of information systems audit tools

AU9

Yüklə 5,64 Mb.

Dostları ilə paylaş:
1   ...   165   166   167   168   169   170   171   172   ...   186




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin